Return to the 2006 Operating System Vulnerability Summary on OmniNerd

List of hosts

192.168.1.5

Low Severity problem(s) found

192.168.1.5

Scan time :

Start time :	Sun Feb 11 12:01:15 2007
End time :	Sun Feb 11 12:13:28 2007

Number of vulnerabilities :

Open ports :	24
Low :	29
Medium :	1
High :	0

Information about the remote host :

Operating system :	Linux Kernel 2.6
NetBIOS name :	TESTING
DNS name :	(unknown)

[^] Back to 192.168.1.5

Port netbios-ns (137/tcp)

Using NetBIOS to retrieve information from a Windows host

Synopsis :

It is possible to obtain the network name of the remote host.

Description :

The remote host listens on udp port 137 and replies to NetBIOS nbtscan
requests. By sending a wildcard request it is possible to obtain the
name of the remote system and the name of its domain.

Risk factor :

None

Plugin output :

The following 7 NetBIOS names have been gathered :

TESTING = Computer name
TESTING = Messenger Service
TESTING = File Server Service
__MSBROWSE__ = Master Browser
MSHOME = Workgroup / Domain name
MSHOME = Master Browser
MSHOME = Browser Service Elections

This SMB server seems to be a SAMBA server (MAC address is NULL).
CVE : CVE-1999-0621
Other references : OSVDB:13577

Nessus ID : 10150

[^] Back to 192.168.1.5

Port general/udp

Traceroute
For your information, here is the traceroute from 192.168.1.250 to 192.168.1.5 : 192.168.1.250 192.168.1.5 Nessus ID : 10287

[^] Back to 192.168.1.5

Port ftp (21/tcp)

Services
An FTP server is running on this port. Here is its banner : 220 (vsFTPd 2.0.4) Nessus ID : 10330

FTP Server Detection
Synopsis : An FTP server is listening on this port Description : It is possible to obtain the banner of the remote FTP server by connecting to the remote port. Risk factor : None Plugin output : The remote FTP banner is : 220 (vsFTPd 2.0.4) Nessus ID : 10092

Anonymous FTP enabled
Synopsis : Anonymous logins are allowed on the remote FTP server. Description : This FTP service allows anonymous logins. If you do not want to share data with anyone you do not know, then you should deactivate the anonymous account, since it can only cause troubles. Risk factor : Low / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N) CVE : CVE-1999-0497 Nessus ID : 10079

[^] Back to 192.168.1.5

Port ssh (22/tcp)

Services
An ssh server is running on this port Nessus ID : 10330

SSH Server type and version
Remote SSH version : SSH-2.0-OpenSSH_4.3p2 Debian-5ubuntu1 Remote SSH supported authentication : publickey,password Nessus ID : 10267

SSH protocol versions supported
The remote SSH daemon supports the following versions of the SSH protocol : . 1.99 . 2.0 SSHv2 host key fingerprint : c9:4b:b3:ab:2e:b6:b2:33:16:4d:4b:db:72:5d:f0:b9 Nessus ID : 10881

[^] Back to 192.168.1.5

Port general/icmp

icmp timestamp request

Synopsis :

It is possible to determine the exact time set on the remote host.

Description :

The remote host answers to an ICMP timestamp request. This allows an attacker
to know the date which is set on your machine.

This may help him to defeat all your time based authentication protocols.

Solution : filter out the ICMP timestamp requests (13), and the outgoing ICMP
timestamp replies (14).

Risk factor :

None / CVSS Base Score : 0
(AV:R/AC:L/Au:NR/C:N/A:N/I:N/B:N)

Plugin output :

The difference between the local and remote clocks is 18123 seconds

CVE : CVE-1999-0524

Nessus ID : 10114

Record route
Here is the route recorded between 192.168.1.250 and 192.168.1.5 : 192.168.1.5. 192.168.1.5. Nessus ID : 12264

[^] Back to 192.168.1.5

Port general/tcp

OS Identification
Nessus was not able to reliably identify the remote operating system. It might be: IBM OS/400 Linux Kernel 2.4 SCO UnixWare 8.0 Nessus ID : 11936

IP protocols scan
The following IP protocols are accepted on this host: 1 ICMP 2 IGMP 6 TCP 17 UDP 41 IPv6 Nessus ID : 14788

Information about the scan

Information about this scan :

Nessus version : 3.0.4
Plugin feed version : 200701101815
Type of plugin feed : Registered (7 days delay)
Scanner IP : 192.168.1.250
Port scanner(s) : nessus_tcp_scanner synscan
Port range : default
Thorough tests : yes
Experimental tests : no
Paranoia level : 0
Report Verbosity : 2
Safe checks : no
Max hosts : 40
Max checks : 5
Scan Start Date : 2007/2/11 13:33
Scan duration : 690 sec

Nessus ID : 19506

[^] Back to 192.168.1.5

Port microsoft-ds (445/tcp)

SMB Detection
A CIFS server is running on this port Nessus ID : 11011

SMB NativeLanMan

Synopsis :

It is possible to obtain information about the remote operating
system.

Description :

It is possible to get the remote operating system name and
version (Windows and/or Samba) by sending an authentication
request to port 139 or 445.

Risk factor :

None

Plugin output :

The remote Operating System is : Unix
The remote native lan manager is : Samba 3.0.22
The remote SMB Domain Name is : TESTING

Nessus ID : 10785

SMB log in

Synopsis :

It is possible to logon on the remote host.

Description :

The remote host is running one of the Microsoft Windows operating
system. It was possible to logon using one of the following
account :

- NULL session
- Guest account
- Given Credentials

See also :

http://support.microsoft.com/support/kb/articles/Q143/4/74.ASP
http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP

Risk factor :

none

Plugin output :

- NULL sessions are enabled on the remote host

CVE : CVE-1999-0504, CVE-1999-0505, CVE-1999-0506, CVE-2000-0222, CVE-2002-1117, CVE-2005-3595
BID : 494, 990, 11199

Nessus ID : 10394

SMB LanMan Pipe Server browse listing

Synopsis :

It is possible to obtain network information.

Description :

It was possible to obtain the browse list of the remote
Windows system by send a request to the LANMAN pipe.
The browse list is the list of the nearest Windows systems
of the remote host.

Risk factor :

None

Plugin output :

Here is the browse list of the remote host :

TESTING ( os: 0.0 )

Other references : OSVDB:300

Nessus ID : 10397

[^] Back to 192.168.1.5

Port http (80/tcp)

Services
A web server is running on this port Nessus ID : 10330

Directory Scanner
The following directories were discovered: /cgi-bin, /icons While this is not, in and of itself, a bug, you should manually inspect these directories to ensure that they are in compliance with company security standards Other references : OWASP:OWASP-CM-006 Nessus ID : 11032

Web mirroring
The following CGI have been discovered : Syntax : cginame (arguments [default value]) . (C=M;O [A] C=N;O [D] C=S;O [A] C=D;O [A] ) Directory index found at / Nessus ID : 10662

HMAP

This web server was fingerprinted as: Apache/2.0.4O-2.2.3 (Unix)
which is not consistent with the displayed banner: Apache/2.0.55 (Ubuntu) PHP/5.1.6

If you think that Nessus was wrong, please send this signature
to www-signatures@nessus.org :
HTM:200:200:200:200:501:200:HTM:HTM:200:400:400:400:400:404:405:405:200:405:501:200:FIX:Apache/2.0.55 (Ubuntu) PHP/5.1.6

Try to provide as much information as you can: software & operating
system release, sub-version, patch numbers, and specific configuration
options, if any.

Nessus ID : 11919

HTTP Server type and version
The remote web server type is : Apache/2.0.55 (Ubuntu) PHP/5.1.6 Solution : You can set the directive 'ServerTokens Prod' to limit the information emanating from the server in its response headers. Nessus ID : 10107

HTTP TRACE Method Enabled

Synopsis :

Debugging functions are enabled on the remote HTTP server.

Description :

The remote webserver supports the TRACE and/or TRACK methods. TRACE and TRACK
are HTTP methods which are used to debug web server connections.

It has been shown that servers supporting this method are subject to
cross-site-scripting attacks, dubbed XST for "Cross-Site-Tracing", when
used in conjunction with various weaknesses in browsers.

An attacker may use this flaw to trick your legitimate web users to give
him their credentials.

Solution :

Disable these methods.

See also :

http://www.kb.cert.org/vuls/id/867593

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Plugin output :

Solution :
Add the following lines for each virtual host in your configuration file :

RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

CVE : CVE-2004-2320
BID : 9506, 9561, 11604
Other references : OSVDB:877

Nessus ID : 11213

[^] Back to 192.168.1.5

Port netbios-ssn (139/tcp)

SMB Detection
An SMB server is running on this port Nessus ID : 11011

[^] Back to 192.168.1.5

Port domain (53/udp)

DNS Cache Snooping

Synopsis :

Remote DNS server is vulnerable to Cache Snooping attacks.

Description :

The remote DNS server answers to queries for third party domains which do
not have the recursion bit set.

This may allow a remote attacker to determine which domains have recently
been resolved via this name server, and therefore which hosts have been
recently visited.

For instance, if an attacker was interested in whether your company utilizes
the online services of a particular financial institution, they would
be able to use this attack to build a statistical model regarding
company usage of aforementioned financial institution. Of course,
the attack can also be used to find B2B partners, web-surfing patterns,
external mail servers, and more...

For a much more detailed discussion of the potential risks of allowing
DNS cache information to be queried anonymously, please see:
http://community.sidestep.pt/~luis/DNS-Cache-Snooping/DNS_Cache_Snooping_1.1.pdf

Risk factor :

Low / CVSS Base Score : 2
(AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)

Nessus ID : 12217

DNS Server Detection
A DNS server is running on this port. If you do not use it, disable it. Risk factor : Low Nessus ID : 11002

Usable remote name server

Synopsis :

The remote name server allows recursive queries to be performed
by the host running nessusd.

Description :

It is possible to query the remote name server for third party names.

If this is your internal nameserver, then forget this warning.

If you are probing a remote nameserver, then it allows anyone
to use it to resolve third parties names (such as www.nessus.org).
This allows hackers to do cache poisoning attacks against this
nameserver.

If the host allows these recursive queries via UDP,
then the host can be used to 'bounce' Denial of Service attacks
against another network or system.

See also :

http://www.cert.org/advisories/CA-1997-22.html

Solution :

Restrict recursive queries to the hosts that should
use this nameserver (such as those of the LAN connected to it).

If you are using bind 8, you can do this by using the instruction
'allow-recursion' in the 'options' section of your named.conf

If you are using bind 9, you can define a grouping of internal addresses
using the 'acl' command

Then, within the options block, you can explicitly state:
'allow-recursion { hosts_defined_in_acl }'

For more info on Bind 9 administration (to include recursion), see:
http://www.nominum.com/content/documents/bind9arm.pdf

If you are using another name server, consult its documentation.

Risk factor :

Medium / CVSS Base Score : 4
(AV:R/AC:L/Au:NR/C:N/A:N/I:P/B:I)
CVE : CVE-1999-0024
BID : 136, 678

Nessus ID : 10539

DNS Server Fingerprint
The remote name server could be fingerprinted as being : ISC BIND 9.2.3 Nessus ID : 11951

[^] Back to 192.168.1.5

Port domain (53/tcp)

DNS Server Detection
A DNS server is running on this port. If you do not use it, disable it. Risk factor : Low Nessus ID : 11002

Version of BIND

Synopsis :

It is possible to obtain the version number of the remote DNS server.

Description :

The remote host is running BIND, an open-source DNS server. It is possible
to extract the version number of the remote installation by sending
a special DNS request for the text 'version.bind' in the domain 'chaos'.

Solution :

It is possible to hide the version number of bind by using the 'version'
directive in the 'options' section in named.conf

Risk factor :

None

Plugin output:

The version of the remote BIND server is : 9.3.2
Other references : OSVDB:23

Nessus ID : 10028